Malware, short for malicious software, is a software or file used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
In order to protect computer operation, various methods and systems have been developed in the past to detect malware. The efficient detection of malware is highly challenging, since a vast number of new malware appear every day. For instance, it is believed that approximately 300.000 new malwares per day appeared in year 2014. Most of these malwares are variants of existing malwares.
FIG. 1 and FIG. 2 describe a prior art method for detecting malware. Most malware detectors which are currently used in the IT industry rely on the solution described in FIGS. 1 and 2.
A file “File 1” is received by the malware detector 1. The malware detector 1 includes a database 2 which stores a plurality of signatures 3. These signatures 3 each represent the content of known malware. For instance, “signature 1” represents the content of a known “malware 1”.
The malware detector 1 compares the file “File 1” with each signature. If this comparison shows that the content of File 1 is the same as at least one of the signatures 3, the malware detector outputs a positive answer 4, meaning that File 1 is a malware. If not, the malware detector outputs a negative answer 5, meaning that File 1 is not a malware.
However, as indicated above, a large amount of new malware is created every day. It thus happens frequently that despite the fact that a file is malware, the malware detector is not able to detect it. Indeed, as the malware detector has never encountered such malware in the past, its database does not store a corresponding signature which could help it detect said malware. This is the case even if the new malware was created by making only small modifications to an existing and known malware for which the malware detector stores the corresponding signature.
After it appears that a file (see File 4 in FIG. 2) is a new malware which was not detected by the malware detector (for instance following an alert raised by the user to the malware detector maker), an update of the database has to be performed, to avoid such lack of detection in the future.
For this, a tedious effort, often using skilled professionals, is made to define a signature for this newly detected file (Signature 4 in FIG. 2). This analysis and definition are often based on heuristics and manual tuning. Once the new signature is defined, it is sent through a network (e.g. Internet) to all the users of the malware detector, in order to update their database. Typically, a few updates per day are sent to each user of the malware detector. This frequency may be higher depending on the number of newly created malware.
Other prior art solutions rely on the signature-based detection described with reference to FIGS. 1 and 2 and further perform additional processing of the file which may increase the time for detecting that the file constitutes malware.
These prior art solutions suffer from several drawbacks.
Accordingly there is a need in the art to provide a new technique to detect malware.